[Fedora-directory-users] Windows Active Directory sync Help!
Rich Megginson
rmeggins at redhat.com
Thu Jan 10 17:25:55 UTC 2008
kiran madala wrote:
> I am using Java 1.4 on Fedora 6 with fedora ds1.1
>
The stack trace below shows (libgcj.so.7rh) which means it is using the
gcj free java. You must install a proprietary Java in order to run the
console if you are not using Fedora 8. See
http://directory.fedoraproject.org/wiki/Install_Guide#Java_is_required_for_the_console
> ----------------------------------------
>
>> Date: Wed, 9 Jan 2008 18:33:47 -0700
>> From: rmeggins at redhat.com
>> To: fedora-directory-users at redhat.com
>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>
>> kiran madala wrote:
>>
>>> Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server
>>>
>>>
>> Looks like a bug. Are you using the IcedTea java on Fedora 8?
>>
>>> Exception during event dispatch:
>>> java.lang.NullPointerException
>>> at com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>> at com.netscape.management.client.security.CertificateDialog.(Unknown Source)
>>> at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source)
>>> at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source)
>>> at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source)
>>> at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh)
>>> at java.awt.Component.processMouseEvent(libgcj.so.7rh)
>>> at java.awt.Component.processEvent(libgcj.so.7rh)
>>> at java.awt.Container.processEvent(libgcj.so.7rh)
>>> at java.awt.Component.dispatchEventImpl(libgcj.so.7rh)
>>> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>> at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>> at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh)
>>> at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh)
>>> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh)
>>> at java.awt.Window.dispatchEventImpl(libgcj.so.7rh)
>>> at java.awt.Component.dispatchEvent(libgcj.so.7rh)
>>> at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh)
>>> at java.awt.EventDispatchThread.run(libgcj.so.7rh)
>>> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException
>>> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>>> at java.lang.Thread.run(libgcj.so.7rh)
>>> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException
>>> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source)
>>> at java.lang.Thread.run(libgcj.so.7rh)
>>>
>>>
>>>
>>> ----------------------------------------
>>>
>>>
>>>> From: kirankmadala at hotmail.com
>>>> To: fedora-directory-users at redhat.com
>>>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help!
>>>> Date: Wed, 9 Jan 2008 17:03:18 -0400
>>>>
>>>>
>>>> I keep getting these errors when trying to initiate sync
>>>>
>>>> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.)
>>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error)
>>>>
>>>> The LDAP search is not installed on my machine so i could not do a search
>>>> ----------------------------------------
>>>>
>>>>
>>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700
>>>>> From: rmeggins at redhat.com
>>>>> To: fedora-directory-users at redhat.com
>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>
>>>>> kiran madala wrote:
>>>>>
>>>>>
>>>>>> Sorry here is the error log for DS server
>>>>>>
>>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.)
>>>>>>
>>>>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine.
>>>>>>
>>>>>>
>>>>>>
>>>>> Did you configure the agreement to use SSL? Error 91 means some sort of
>>>>> connection problem, or invalid argument to the LDAP API e.g. you are
>>>>> attempting to use LDAP on the secure port instead of LDAPS.
>>>>>
>>>>> You can verify that TLS/SSL is working by using ldapsearch from the
>>>>> command line. On the directory server machine:
>>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P
>>>>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*"
>>>>>
>>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system.
>>>>>
>>>>>
>>>>>> ----------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700
>>>>>>> From: rmeggins at redhat.com
>>>>>>> To: fedora-directory-users at redhat.com
>>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>>
>>>>>>> kiran madala wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?.
>>>>>>>>
>>>>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console.
>>>>>>>>
>>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241
>>>>>>>> <snip<
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Actually, this is the error log for the admin server. The error log for
>>>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance
>>>>>>> is your instance name.
>>>>>>>
>>>>>>> The console might be failing to connect to AD because the console has a
>>>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need
>>>>>>> to add the CA cert in this directory too:
>>>>>>>
>>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> ----------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700
>>>>>>>>> From: rmeggins at redhat.com
>>>>>>>>> To: fedora-directory-users at redhat.com
>>>>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>>>>
>>>>>>>>> kiran madala wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now.
>>>>>>>>>>
>>>>>>>>>> The DS server is unable to connect to my AD.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> What error messages are you getting? Check the error log.
>>>>>>>>>
>>>>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or
>>>>>>>>> 1.0.4? What OS?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> You don't need to use cert based client auth. You can use regular
>>>>>>>>> username/password auth over TLS/SSL.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> My currents certificates are as follows.
>>>>>>>>>>
>>>>>>>>>> DS has its own server certificate
>>>>>>>>>> AD has its own server certificate
>>>>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ----------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> From: kirankmadala at hotmail.com
>>>>>>>>>>> To: fedora-directory-users at redhat.com
>>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400
>>>>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions.
>>>>>>>>>>>
>>>>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL?
>>>>>>>>>>>
>>>>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD?
>>>>>>>>>>>
>>>>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance
>>>>>>>>>>> _________________________________________________________________
>>>>>>>>>>> Exercise your brain! Try Flexicon!
>>>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> _________________________________________________________________
>>>>>>>>>> Use fowl language with Chicktionary. Click here to start playing!
>>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> _________________________________________________________________
>>>>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
>>>>>>>> http://asksantaclaus.spaces.live.com/
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> _________________________________________________________________
>>>>>> Introducing the City @ Live! Take a tour!
>>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>>
>>>> _________________________________________________________________
>>>> Express yourself instantly with MSN Messenger! Download today it's FREE!
>>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>> _________________________________________________________________
>>> Exercise your brain! Try Flexicon!
>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>
> _________________________________________________________________
> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today!
> http://getyourliveid.ca/?icid=LIVEIDENCA006
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080110/1538f080/attachment.bin>
More information about the 389-users
mailing list